Inclusivity – the percentage of an organization’s existing IT infrastructure protected through a Zero Trust approach – is the biggest key to a successful deployment. Yet inclusivity is not given nearly enough weight in President Biden’s recent Executive Order on improving the nation’s cybersecurity.
Why is inclusivity so important to Zero Trust? If a Zero Trust strategy only protects some resources, organizations can be left with a patchwork of protection and several different ways of controlling access. That exposes far too many vulnerabilities across the attack surface. Many organizations face this unenviable situation still today, despite making huge investments in IT security over the past decades.
A good example of this is the cloud, which somehow has become Zero Trust’s Holy Grail. Yes, a cloud-based Zero Trust strategy works for cloud applications, but it falls short in closing attack vectors for on-premise resources, such as open ports on firewalls. Also, most Zero Trust cloud strategies only protect web-based applications. That’s not practical for most large distributed enterprises – a hallmark of federal agencies – who have a wide-ranging assortment of resources to protect: legacy applications, client-server applications, virtual desktop infrastructure and more.
These gaps are why many organizations still struggle with getting the most out of their Zero Trust strategy today. The biggest oversight is that organizations don’t first fully identify the critical factors that should drive their Zero Trust strategy. They would have been well advised to fully address the unique complex and complicated access needs of both their local and cloud-based resources. And they should have done so in an accelerated manner that didn’t take years to roll out, while hackers continue to exploit vulnerabilities across their attack surfaces. They also should have focused on making the lives of end users and admins easier – not adding even more security hoops to jump through. And yet many organizations don’t think this through.
These are the gargantuan challenges the US Government now faces – at a much larger scale, with more dire consequences if it fails.
Why do so many organizations still struggle with Zero Trust? A big reason is since the concept was first introduced more than a decade ago, Zero Trust to a large degree has become a nebulous term. For instance, at the 2020 RSA Conference, there were 90-plus vendors pitching some form of Zero Trust solution.
These approaches generally break down into three distinct categories: identify-focused, data-focused and access-focused. While there are some common threads, there are also significant deviations when it comes to effectiveness, inclusivity and ability to deploy.
An identity-focused approach has a narrow emphasis on shoring up identity and is typically too limited for the complex challenges outlined in Biden’s Executive Order. While shoring up identity is good, and can be quickly implemented, an identity-focused approach simply provides much too light of a touch to comprehensively address the complex infrastructure security needs of the sprawling, cross-matrixed US Government.
A data-focused approach provides a significantly more robust Zero Trust strategy. But the more in-depth approach also creates a time-sink: it can require months or years to go live, time the government doesn’t have to address the aggressive, sophisticated attacks taking place now. Once it is rolled out, a data-focused approach often makes the user experience even more complicated. Worse, it doesn’t truly focus on the root cause of the existing gaps across the attack surface: controlling access. A data-focused strategy controls access to the data, not all resources, so hackers can still move laterally across the infrastructure, local and cloud, to cause more damage.
An access-focused approach combines and accelerates the other two Zero Trust strategies: it shores up authentication, protects access both on-premise and in the cloud, and enables a quick rollout for a complex infrastructure such as the US Federal Government. Agencies also don’t have to do the heavy lift of ripping and replacing their existing IT security infrastructure – their legacy security solutions are consolidated under a Zero Trust access strategy.
The US Government should also incorporate Single Sign On (SSO) technology into Zero Trust to seamlessly authenticate access requests in real time. SSO makes life much easier for users and administrators alike, so they can focus on being productive instead of trying to remember passwords or calling the Help Desk to repeatedly reset their credentials.
As the US Federal Government moves forward under the Biden Administration’s Executive Order, it is imperative that it addresses full inclusivity – both for the resources and applications spread across its vast infrastructure, and for its millions of users. And it is imperative regardless of which Zero Trust approach it does select.